apache 訪問許可權出錯，apache selinux 許可權問題， (13) Permission Denied

今天在使用 httpd 做文件伺服器的時候，發現 png 圖像沒有打開，但是原本www/html 文件夾內部的文件就可以打開。後來猜測是selinux 的問題，之前一直想寫一篇關於selinux 的博文，現在先在這裡提到一點吧。

欲詳細解決  (13) Permission Denied 問題， 可以參考apache 官方文檔 (13) Permission Denied

我們可以首先使用 setenforce 0 讓selinux 暫時關閉，定位到是否是selinux 許可權的問題。如果 關閉後，可以正常訪問，我們可以進一步來進行解決：

用過 ls -Z 查看 selinux 許可權：

root@yaowenxu /v/w/html# ls -alZ
total 176
drwxr-xrwx. 2 root     root     system_u:object_r:httpd_sys_content_t:s0      4096 Aug 20 13:24  ./
drwxr-xr-x. 4 root     root     system_u:object_r:httpd_sys_content_t:s0      4096 Jul 20 18:30  ../
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 10292 Aug 19 17:51 'Screenshot from 2018-08-19 17-50-59.png'
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 68579 Aug 20 11:32 'Screenshot from 2018-08-20 11-32-51.png'
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 85378 Aug 20 13:24 'Screenshot from 2018-08-20 13-24-10.png'
-rw----r--. 1 root     root     unconfined_u:object_r:httpd_sys_content_t:s0     9 Aug 20 11:47  xuyaowen

查看是否是 httpd_sys_content_t 許可權，如果不是，通過命令進行設置許可權，我這裡讓http 所有文件設置為上述預設許可權：

root@yaowenxu /v/w/html# chmod -R -t httpd_sys_content_t html

這樣便能保持 selinux 的許可權的一致性。不用多次修改了。

當然你也可以禁止 selinux : 暫時禁止使用 setenforce 命令，永久禁止修改配置文件，如下所示：

vi /etc/sysconfig/selinux  
    SELINUX=enforcing --> SELINUX=disabled  

不保護apache:

setsebool -P httpd_disable_trans 1  

更多配置相關，請通過man命令，參考 selinux 說明和 selinux/apache 說明。

httpd_selinux(8)      httpd Selinux Policy documentation      httpd_selinux(8)

NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION
Security-Enhanced Linux secures the httpd server via flexible mandatory
access control.

FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file
type.   Policy governs the access daemons have to these files.  SELinux
httpd policy is very flexible allowing users to setup  their  web  ser-
vices in as secure a method as possible.

The following file contexts types are defined for httpd:

httpd_sys_content_t
- Set files with httpd_sys_content_t for content which is avail-
able from all httpd scripts and the daemon.

httpd_sys_script_exec_t
- Set cgi scripts with httpd_sys_script_exec_t to allow them  to
run with access to all sys types.

httpd_sys_script_ro_t
-   Set   files   with   httpd_sys_script_ro_t   if   you   want
httpd_sys_script_exec_t scripts to read the data,  and  disallow
other sys scripts from access.

httpd_sys_script_rw_t
-   Set   files   with   httpd_sys_script_rw_t   if   you   want
httpd_sys_script_exec_t scripts to read/write the data, and dis-
allow other non sys scripts from access.

httpd_sys_script_ra_t
-   Set   files   with   httpd_sys_script_ra_t   if   you   want
httpd_sys_script_exec_t scripts to read/append to the file,  and
disallow other non sys scripts from access.

httpd_unconfined_script_exec_t
-  Set  cgi scripts with httpd_unconfined_script_exec_t to allow
them to run without any SELinux protection. This should only  be
used  for  a  very  complex  httpd scripts, after exhausting all
other options.  It is better to  use  this  script  rather  than
turning off SELinux protection for httpd.

NOTE
With  certain  policies  you can define addional file contexts based on
roles like user or  staff.   httpd_user_script_exec_t  can  be  defined
where it would only have access to "user" contexts.

SHARING FILES
If  you  want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and  public_con-
tent_rw_t.   These  context  allow any of the above domains to read the
content.  If you want a particular domain to write to  the  public_con-
tent_rw_t    domain,    you   must   set   the   appropriate   boolean.
allow_DOMAIN_anon_write.  So for httpd you would execute:

setsebool -P allow_httpd_anon_write=1

or

setsebool -P allow_httpd_sys_script_anon_write=1

BOOLEANS
SELinux policy is customizable based on least access required.   So  by
default SElinux prevents certain http scripts from working.  httpd pol-
icy is extremely flexible and has several booleans that  allow  you  to
manipulate  the policy and run httpd with the tightest access possible.

httpd  can  be  setup  to  allow  cgi  scripts  to  be  executed,   set
httpd_enable_cgi to allow this

setsebool -P httpd_enable_cgi 1

httpd by default is not allowed to access users home  directories.   If
you  want to allow access to users home directories you need to set the
httpd_enable_homedirs boolean and change the context of the files  that
you want people to access off the home dir.

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html

httpd by default is not allowed access to the controling terminal.   In
most  cases  this is prefered, because an intruder might be able to use
the access to the terminal to gain privileges. But  in  certain  situa-
tions  httpd needs to prompt for a password to open a certificate file,
in these cases, terminal access is required.   Set  the  httpd_tty_comm
boolean to allow terminal access.

setsebool -P httpd_tty_comm 1

httpd can be configured to not differentiate  file  controls  based  on
context, i.e. all files labeled as httpd context can be read/write/exe-
cute.  Setting this boolean to false allows you to setup  the  security
policy such that one httpd service can not interfere with another.

setsebool -P httpd_unified 0

httpd can be configured to turn off internal scripting (PHP).  PHP  and
other
loadable modules run under the same context as httpd.  Therefore
several  policy  rules  allow httpd greater access to the system
then is needed if you only use external cgi scripts.

setsebool -P httpd_builtin_scripting 0

httpd scripts by default are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd  server
and attacking other machines.  If you need scripts to be able to
connect you can set the httpd_can_network_connect boolean on.

setsebool -P httpd_can_network_connect 1

You can disable suexec transition, set httpd_suexec_disable_trans  deny
this

setsebool -P httpd_suexec_disable_trans 1

You can disable SELinux protection for the httpd daemon by executing:

setsebool -P httpd_disable_trans 1
service httpd restart

system-config-securitylevel  is  a  GUI  tool  available  to  customize
SELinux policy settings.

AUTHOR
This manual page was written by Dan Walsh <[email protected]>.

SEE ALSO
selinux(8), httpd(8), chcon(1), setsebool(8)

[email protected]                 17 Jan 2005                 httpd_selinux(8)

 保持更新，轉載請註明出處。如果對你有幫助，請點擊右下角推薦。